NSO Group Former Employee Attempts to Sell Company Spyware on Dark Web

The Israeli-based NSO Group sells powerful spyware products around the world. Its only clients are government agencies that purchase the top-shelf malware largely to remotely break into iPhones of their targets.

According to an indictment issued by Israel’s Justice Ministry first published by Israeli press, a former NSO employee has stolen the firm’s spyware product, Pegasus, and attemped to sell it on the dark web for $50 million in cryptocurrency. The stolen software is apparently worth millions of dollars.

The unnamed suspect was a senior programmer (aged 38) who had joined the company last year and had access to NSO’s servers and proprietary products and tools as a necessary part of his job.

A statement from the ministry described the former employee being called into a hearing by NSO Group on April 29th, during which he expressed his dissatisfaction with the company. The Israeli investigators allege that following the meeting, he went back to his workstation and copied the source code of multiple tools to an external hard drive. He was later dismissed by the company.

While NSO Group has systems in place to prevent employees attaching external storage devices to its computers, the employee apparently found a way to disable those protections, enabling him to steal a cache of data, which included NSO product code, “which allows exposure and a full understanding of how the system operates” and “cyber capabilities.”

Allegedly, a month following the April meeting, the employee went onto the Tor2MailTor-based anonymous email service in order to register an anonymous email address. On June 2nd, he contacted a buyer and posing as a hacker, offered to sell NSO data for $50M paid in cryptocurrencies such as Monero, Verge and Zcash.

The prospective buyer in fact double-bluffed the former NSO employee and contacted NSO. The company was able to purportedly track the theft of its software via forensics logs on its internal servers and discovered that there had indeed been a major security breach involving copying of its tools on April 29th, the date of the meeting with the disaffected employee.

June 5th came round and Israeli police searched the employee’s home and were able to arrest him, after finding the hard drive storing the stolen malware hidden under his mattress; rather an unsophisticated move.

The NSO Group has encountered some controversy over the years about its selling practices. In addition to selling its zero-days and spyware to government agencies in democracies, it has also been called out for selling them to regimes that have gone on to abuse them. In the United Arab Emirates, the government used Pegasus to target the political dissident Ahmed Mansoor, who was recently given a ten year prison term. In Mexico, journalists and human rights activists have been spyed on by authorities using NSO malware.

The news of the spyware theft demonstrates the danger of larger potential abuse of NSO’s products. Ron Deibert, director of the Citizen Lab, Munk School of Global Affairs at the University of Toronto, toldMotherboard, “The commercial spyware industry as a whole is new, lucrative and powerful, but also immature, largely unregulated, lacking in professional conduct, and prone to abuse. Theft and illicit sale of powerful surveillance technologies will happen in such circumstances, and provides yet another example of the need for greater regulatory control over the industry.”